From AwkwardTV
Jump to: navigation, search

How to create a user on the Apple TV

The goal of this document is twofold: to explain how to create a new user login, and to disallow the user frontrow from logging in via SSH. This approach improves security while still allowing scripts the ability to operate as the frontrow user.

The dscl command must be used when creating a new user on the command line. The adduser or useradd commands are not available.

Below are commands for creating the new user. Please follow them in order, and remember to subsitute "some_new_user" with your desired username. Make sure you make this subsitution!

Create a new entry in the local (/) domain under the category /users:

dscl / -create /Users/some_new_user

Assign bash as the UNIX shell:

dscl / -create /Users/some_new_user UserShell /bin/bash

Create and set the user’s full name:

dscl / -create /Users/some_new_user RealName "Some New User"

Assign the numeric user ID:

dscl / -create /Users/some_new_user UniqueID 503

Assign the numeric group ID (501 is the same as for frontrow):

dscl / -create /Users/some_new_user PrimaryGroupID 501 

Create and set the user's home directory:

dscl / -create /Users/some_new_user NFSHomeDirectory /Users/some_new_user

Set the password. Change "PASSWORD" with the actual password:

dscl / -passwd /Users/some_new_user PASSWORD

If you wish to give root privileges to the new user:

dscl / -append /Groups/admin GroupMembership some_new_user

Finally, create the user home directory, and add sufficient privileges on it:

mkdir /Users/some_new_user
chown -R some_new_user /Users/some_new_user

Since the new user login has been added to the admin group, it can become root using sudo:

sudo -s

At the password prompt, enter the password for the new user -- NOT the root password.

Disable password-based logins

The easier way to secure logins to the patched Apple TV, for now, is to configure dropbear to disable password-based logins and allow only public SSH keys. Be very careful when doing this procedure, as a misstep can result in being locked out of the Apple TV -- which means re-patching with ATVUSB-Creator.

(Note that if you ever lose your private SSH key on your host machine and have no backup, you'll have to re-patch again, because your machine can no longer log into the Apple TV. Fair warning!)

1. Start an instance of dropbear on a new port:

/usr/bin/dropbear -s -p 50022

2. Edit the startup script for dropbear, /System/Library/LaunchDaemons/com.atvMod.dropbear.plist, and prepend the -s switch to the arguments list so that it comes first. As an illustration, change this line:



<string>-s -b</string>

3. On the host machine (e.g. Mac laptop or Windows desktop), generate an SSH key. Refer to the online help for Windows SSH clients. The UNIX commandline example is:

ssh-keygen -t dsa

Enter a password, and the public SSH key will generate and end up in a file located at ~/.ssh/

4. Copy this file to the AppleTV and place it in ~some_new_user/.ssh/authorized_keys.

scp ~/.ssh/ ~some_new_user/.ssh/authorized_keys

5. Fix permissions of authorized_keys while logged in as the new user on the Apple TV:

chmod 0600 ~/.ssh/authorized_keys

6. On the host machine, log into the Apple TV using the temporary instance of dropbear. (On the Mac, an ssh-agent OS X dialog window will appear if run via Remember step 3 above? Enter your host machine's public SSH key password here.) The Apple TV itself should not ask you for your password:

ssh -p 50022 some_new_user@appletv.local

7. Verify that trying to log in as the frontrow user will fail immediately, as the -s switch disables password authentication:

ssh -p 50022 frontrow@appletv.local

8. Reboot the Apple TV -- but only if you are able to complete step 6! When it comes back up, you should be able to log in. The -s switch added to step 2 will take effect on reboot, the port-50022 instance will go away, and your SSH key will let you in.

Disable SSH logins for user frontrow

For this procedure, ensure that you are using the OpenSSH version of sshd. Note that the patchstick you may have used may contain the dropbear SSH daemon rather than OpenSSH. To install OpenSSH, read the page Install_SSH.

Next, edit /etc/sshd_config, and add the following lines to the end of the file:

AllowUsers some_new_user *@localhost *@appleTV.local *@192.168.1.* 
DenyUsers frontrow

The user-level filtering seems to work: the new user login is allowed in, and the frontrow user is denied.

News about future SSH daemons

[davilla writes] that the ATVUSB-Creator package will include an OpenSSH package in the next version, as licensing issues seem to be resolved.